Update integration tests to run Dex over HTTPS.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
This commit is contained in:
parent
dd2133458e
commit
b17ac6ec0b
@ -265,6 +265,11 @@ if ! tilt_mode; then
|
|||||||
popd >/dev/null
|
popd >/dev/null
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
#
|
||||||
|
# Download the test CA bundle that was generated in the Dex pod.
|
||||||
|
#
|
||||||
|
test_ca_bundle_pem="$(kubectl exec -n dex deployment/dex -- cat /var/certs/ca.pem)"
|
||||||
|
|
||||||
#
|
#
|
||||||
# Create the environment file
|
# Create the environment file
|
||||||
#
|
#
|
||||||
@ -287,7 +292,8 @@ export PINNIPED_TEST_SUPERVISOR_CUSTOM_LABELS='${supervisor_custom_labels}'
|
|||||||
export PINNIPED_TEST_SUPERVISOR_HTTP_ADDRESS="127.0.0.1:12345"
|
export PINNIPED_TEST_SUPERVISOR_HTTP_ADDRESS="127.0.0.1:12345"
|
||||||
export PINNIPED_TEST_SUPERVISOR_HTTPS_ADDRESS="localhost:12344"
|
export PINNIPED_TEST_SUPERVISOR_HTTPS_ADDRESS="localhost:12344"
|
||||||
export PINNIPED_TEST_PROXY=http://127.0.0.1:12346
|
export PINNIPED_TEST_PROXY=http://127.0.0.1:12346
|
||||||
export PINNIPED_TEST_CLI_OIDC_ISSUER=http://dex.dex.svc.cluster.local/dex
|
export PINNIPED_TEST_CLI_OIDC_ISSUER=https://dex.dex.svc.cluster.local/dex
|
||||||
|
export PINNIPED_TEST_CLI_OIDC_ISSUER_CA_BUNDLE="${test_ca_bundle_pem}"
|
||||||
export PINNIPED_TEST_CLI_OIDC_CLIENT_ID=pinniped-cli
|
export PINNIPED_TEST_CLI_OIDC_CLIENT_ID=pinniped-cli
|
||||||
export PINNIPED_TEST_CLI_OIDC_LOCALHOST_PORT=48095
|
export PINNIPED_TEST_CLI_OIDC_LOCALHOST_PORT=48095
|
||||||
export PINNIPED_TEST_CLI_OIDC_USERNAME=pinny@example.com
|
export PINNIPED_TEST_CLI_OIDC_USERNAME=pinny@example.com
|
||||||
|
@ -6,13 +6,15 @@
|
|||||||
#@ load("@ytt:yaml", "yaml")
|
#@ load("@ytt:yaml", "yaml")
|
||||||
|
|
||||||
#@ def dexConfig():
|
#@ def dexConfig():
|
||||||
issuer: http://dex.dex.svc.cluster.local/dex
|
issuer: https://dex.dex.svc.cluster.local/dex
|
||||||
storage:
|
storage:
|
||||||
type: sqlite3
|
type: sqlite3
|
||||||
config:
|
config:
|
||||||
file: ":memory:"
|
file: ":memory:"
|
||||||
web:
|
web:
|
||||||
http: 0.0.0.0:80
|
https: 0.0.0.0:443
|
||||||
|
tlsCert: /var/certs/dex.pem
|
||||||
|
tlsKey: /var/certs/dex-key.pem
|
||||||
oauth2:
|
oauth2:
|
||||||
skipApprovalScreen: true
|
skipApprovalScreen: true
|
||||||
staticClients:
|
staticClients:
|
||||||
@ -67,24 +69,59 @@ spec:
|
|||||||
annotations:
|
annotations:
|
||||||
dexConfigHash: #@ sha256.sum(yaml.encode(dexConfig()))
|
dexConfigHash: #@ sha256.sum(yaml.encode(dexConfig()))
|
||||||
spec:
|
spec:
|
||||||
|
initContainers:
|
||||||
|
- name: generate-certs
|
||||||
|
image: cfssl/cfssl:1.5.0
|
||||||
|
imagePullPolicy: IfNotPresent
|
||||||
|
command: ["/bin/bash"]
|
||||||
|
args:
|
||||||
|
- -c
|
||||||
|
- |
|
||||||
|
cd /var/certs
|
||||||
|
cfssl print-defaults config > /tmp/cfssl-default.json
|
||||||
|
echo '{"CN": "Pinniped Test","hosts": [],"key": {"algo": "ecdsa","size": 256},"names": [{}]}' > csr.json
|
||||||
|
|
||||||
|
echo "generating CA key..."
|
||||||
|
cfssl genkey \
|
||||||
|
-config /tmp/cfssl-default.json \
|
||||||
|
-initca csr.json \
|
||||||
|
| cfssljson -bare ca
|
||||||
|
|
||||||
|
echo "generating Dex server certificate..."
|
||||||
|
cfssl gencert \
|
||||||
|
-ca ca.pem -ca-key ca-key.pem \
|
||||||
|
-config /tmp/cfssl-default.json \
|
||||||
|
-profile www \
|
||||||
|
-cn "dex.dex.svc.cluster.local" \
|
||||||
|
-hostname "dex.dex.svc.cluster.local" \
|
||||||
|
csr.json \
|
||||||
|
| cfssljson -bare dex
|
||||||
|
volumeMounts:
|
||||||
|
- name: certs
|
||||||
|
mountPath: /var/certs
|
||||||
containers:
|
containers:
|
||||||
- name: dex
|
- name: dex
|
||||||
image: quay.io/dexidp/dex:v2.10.0
|
image: quay.io/dexidp/dex:v2.10.0
|
||||||
imagePullPolicy: IfNotPresent
|
imagePullPolicy: IfNotPresent
|
||||||
command:
|
command:
|
||||||
- /usr/local/bin/dex
|
- /usr/local/bin/dex
|
||||||
- serve
|
- serve
|
||||||
- /etc/dex/cfg/config.yaml
|
- /etc/dex/cfg/config.yaml
|
||||||
ports:
|
ports:
|
||||||
- name: http
|
- name: https
|
||||||
containerPort: 80
|
containerPort: 443
|
||||||
volumeMounts:
|
volumeMounts:
|
||||||
- name: config
|
- name: dex-config
|
||||||
mountPath: /etc/dex/cfg
|
mountPath: /etc/dex/cfg
|
||||||
|
- name: certs
|
||||||
|
mountPath: /var/certs
|
||||||
|
readOnly: true
|
||||||
volumes:
|
volumes:
|
||||||
- name: config
|
- name: dex-config
|
||||||
configMap:
|
configMap:
|
||||||
name: dex-config
|
name: dex-config
|
||||||
|
- name: certs
|
||||||
|
emptyDir: {}
|
||||||
---
|
---
|
||||||
apiVersion: v1
|
apiVersion: v1
|
||||||
kind: Service
|
kind: Service
|
||||||
@ -98,4 +135,5 @@ spec:
|
|||||||
selector:
|
selector:
|
||||||
app: dex
|
app: dex
|
||||||
ports:
|
ports:
|
||||||
- port: 80
|
- port: 443
|
||||||
|
name: https
|
||||||
|
@ -130,8 +130,8 @@ func getLoginProvider(t *testing.T) *loginProviderPatterns {
|
|||||||
},
|
},
|
||||||
{
|
{
|
||||||
Name: "Dex",
|
Name: "Dex",
|
||||||
IssuerPattern: regexp.MustCompile(`\Ahttp://dex\.dex\.svc\.cluster\.local/dex.*\z`),
|
IssuerPattern: regexp.MustCompile(`\Ahttps://dex\.dex\.svc\.cluster\.local/dex.*\z`),
|
||||||
LoginPagePattern: regexp.MustCompile(`\Ahttp://dex\.dex\.svc\.cluster\.local/dex/auth/local.+\z`),
|
LoginPagePattern: regexp.MustCompile(`\Ahttps://dex\.dex\.svc\.cluster\.local/dex/auth/local.+\z`),
|
||||||
UsernameSelector: "input#login",
|
UsernameSelector: "input#login",
|
||||||
PasswordSelector: "input#password",
|
PasswordSelector: "input#password",
|
||||||
LoginButtonSelector: "button#submit-login",
|
LoginButtonSelector: "button#submit-login",
|
||||||
@ -170,6 +170,7 @@ func TestCLILoginOIDC(t *testing.T) {
|
|||||||
agouti.Desired(caps),
|
agouti.Desired(caps),
|
||||||
agouti.ChromeOptions("args", []string{
|
agouti.ChromeOptions("args", []string{
|
||||||
"--no-sandbox",
|
"--no-sandbox",
|
||||||
|
"--ignore-certificate-errors",
|
||||||
"--headless", // Comment out this line to see the tests happen in a visible browser window.
|
"--headless", // Comment out this line to see the tests happen in a visible browser window.
|
||||||
}),
|
}),
|
||||||
// Uncomment this to see stdout/stderr from chromedriver.
|
// Uncomment this to see stdout/stderr from chromedriver.
|
||||||
@ -413,6 +414,15 @@ func oidcLoginCommand(ctx context.Context, t *testing.T, pinnipedExe string, ses
|
|||||||
"--session-cache", sessionCachePath,
|
"--session-cache", sessionCachePath,
|
||||||
"--skip-browser",
|
"--skip-browser",
|
||||||
)
|
)
|
||||||
|
|
||||||
|
// If there is a custom CA bundle, pass it via --ca-bundle and a temporary file.
|
||||||
|
if env.OIDCUpstream.CABundle != "" {
|
||||||
|
path := filepath.Join(t.TempDir(), "test-ca.pem")
|
||||||
|
require.NoError(t, ioutil.WriteFile(path, []byte(env.OIDCUpstream.CABundle), 0600))
|
||||||
|
cmd.Args = append(cmd.Args, "--ca-bundle", path)
|
||||||
|
}
|
||||||
|
|
||||||
|
// If there is a custom proxy, set it using standard environment variables.
|
||||||
if env.Proxy != "" {
|
if env.Proxy != "" {
|
||||||
cmd.Env = append(os.Environ(),
|
cmd.Env = append(os.Environ(),
|
||||||
"http_proxy="+env.Proxy,
|
"http_proxy="+env.Proxy,
|
||||||
|
@ -48,6 +48,7 @@ type TestEnv struct {
|
|||||||
|
|
||||||
OIDCUpstream struct {
|
OIDCUpstream struct {
|
||||||
Issuer string `json:"issuer"`
|
Issuer string `json:"issuer"`
|
||||||
|
CABundle string `json:"caBundle" `
|
||||||
ClientID string `json:"clientID"`
|
ClientID string `json:"clientID"`
|
||||||
LocalhostPort int `json:"localhostPort"`
|
LocalhostPort int `json:"localhostPort"`
|
||||||
Username string `json:"username"`
|
Username string `json:"username"`
|
||||||
@ -130,6 +131,7 @@ func loadEnvVars(t *testing.T, result *TestEnv) {
|
|||||||
result.Proxy = os.Getenv("PINNIPED_TEST_PROXY")
|
result.Proxy = os.Getenv("PINNIPED_TEST_PROXY")
|
||||||
|
|
||||||
result.OIDCUpstream.Issuer = needEnv(t, "PINNIPED_TEST_CLI_OIDC_ISSUER")
|
result.OIDCUpstream.Issuer = needEnv(t, "PINNIPED_TEST_CLI_OIDC_ISSUER")
|
||||||
|
result.OIDCUpstream.CABundle = os.Getenv("PINNIPED_TEST_CLI_OIDC_ISSUER_CA_BUNDLE")
|
||||||
result.OIDCUpstream.ClientID = needEnv(t, "PINNIPED_TEST_CLI_OIDC_CLIENT_ID")
|
result.OIDCUpstream.ClientID = needEnv(t, "PINNIPED_TEST_CLI_OIDC_CLIENT_ID")
|
||||||
result.OIDCUpstream.LocalhostPort, _ = strconv.Atoi(needEnv(t, "PINNIPED_TEST_CLI_OIDC_LOCALHOST_PORT"))
|
result.OIDCUpstream.LocalhostPort, _ = strconv.Atoi(needEnv(t, "PINNIPED_TEST_CLI_OIDC_LOCALHOST_PORT"))
|
||||||
result.OIDCUpstream.Username = needEnv(t, "PINNIPED_TEST_CLI_OIDC_USERNAME")
|
result.OIDCUpstream.Username = needEnv(t, "PINNIPED_TEST_CLI_OIDC_USERNAME")
|
||||||
|
Loading…
Reference in New Issue
Block a user